Welcome! Log In Create A New Profile

Re: SMTP AUTH with XCLIENT - impossible or just difficult?

Forum List Message List New Topic Print View

Maxim Dounin

August 05, 2010 10:06PM

Hello!

On Wed, Aug 04, 2010 at 08:02:29AM -0500, Karl Kraft wrote:

> I have been successful at using nginx as a front end to POP and
> IMAP servers to keep mailboxes spread across multiple machines.
> It also provided the added benefit of enabling SSL for privacy.
> I wrote a custom HTTP based authentication agent to direct to
> the proper mailbox, and everything seems to work great. Now I
> would like to do the same for SMTP connections, using nginx as
> both an SSL front end and director to my SMTP daemons.
>
> However, after implementing XCLIENT in the SMTP daemon, and
> adding a simple configuration to nginx, all is not well. After
> working my way through the mailing list and trying several
> configurations, I am left thinking that XCLIENT with
> authentication simply does not work. Has anyone ever managed to
> get this to work?

[...]

> SN: 220 explorer.karlkraft.com. - explorer.karlkraft.com
> (NFSmtp/2006q2.1) Authorized network 10.10.0.0/255.255.0.0
> NS: EHLO veyron.karlkraft.com
> SN: 250-/10.10.10.104
> SN: 250-EXPN
> SN: 250-NAME ADDR PROTO HELO
> SN: 250-SIZE
> SN: 250-AUTH CRAM-MD5 PLAIN
> SN: 250 HELP

Here actual problem happens. nginx doesn't really understand
multiline smtp replies, but usually handles them nicely once they
happen to be in single tcp packet.

Most likely your tcp daemon sends ehlo reply in multiple packets.
This isn't good from performance point of view but anyway should
be supported. Try the attached patch.

[...]

> The only way I am able to get close to a working connection is
> with the following two conditions:
>
> Turn XCLIENT off - this of course makes it impossible for the
> back end server to know the authenticated username or source IP
> address.
>
> Client must send HELO instead of EHLO - controlling all the
> clients is out of the question.

While XCLIENT is mostly unrelated - it forces nginx to use ESMTP
with backend, i.e. use EHLO. In your case EHLO reply is multiline
one and split across multiple packets. This in turn causes all
the troubles (and the same thing happens if client itself uses
ESMTP).

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
SMTP AUTH with XCLIENT - impossible or just difficult?	Karl Kraft	August 04, 2010 09:08AM
Re: SMTP AUTH with XCLIENT - impossible or just difficult?	Maxim Dounin	August 05, 2010 10:04PM
Re: SMTP AUTH with XCLIENT - impossible or just difficult?	Maxim Dounin	August 05, 2010 10:06PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 142

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018